EU countries diluted new rules regulating information-sharing on cybersecurity breaches, a top European Commission official said today (26 April), which made it impossible to monitor hackers’ assaults on member states’ critical infrastructure.

EU countries must still cooperate much more on cybersecurity after the bloc passed its first ever law regulating how they inform each other about security breaches, said Jakub Boratyński, head of the security unit at the Commission’s technology arm DG CONNECT.

Boratyński said the new cybersecurity rules agreed in December are a lot weaker than the EU executive wanted.

The network and information security (NIS) directive, the first-ever EU-wide cybersecurity law, will go into effect in 2018.

Negotiations on the directive were hampered by EU countries’ wariness over exchanging sensitive information with all 28 member states about security breaches in critical infrastructure such as banking and energy grids.

But there is still room for EU countries to step up their game and share more information about cybersecurity attacks, Boratyński added.

“There is a possibility for this to grow and to advance. I would not expect this to be immediate, unless we have some major defining moment, like a major anti-terrorism policy like we had in the wake of the recent attacks,” Boratyński said at a Brussels conference.

“If you look at the original Commission proposal, we wanted very ambitious information sharing between member states, which would ensure assessment of risks, threat intelligence and coordination of response to attacks. That approach was not taken on board,” Boratyński added.

“What we will have at the end is a network of CSIRTs, national computational response teams.”

Under the new rules, cybersecurity experts from EU member states will exchange details of security threats, attacks and how authorities responded—although those meetings are voluntary.

One Commission official said that the terrorist attacks in Brussels and Paris over the last few months would likely not push EU countries to step up their work together on cybersecurity.

“If you look at the recent terrorist attacks, the cyber element is irrelevant,” the official said.

“So far we do not have cases when terrorists were behind an attack on critical infrastructure.”

Commission officials pointed to how EU countries share law enforcement data with Europol as an indicator of how the executive wants them to eventually share more cybersecurity information.

“Cybersecurity is at an earlier stage,” one official said, referring to an “incremental process”.

Some EU countries do share details of cybersecurity breaches with other member states, but larger, wealthier member states are less willing to exchange information with smaller countries.

Four months after the NIS directive was rubberstamped, there are still more cybersecurity rules coming.

The Commission will propose a so-called implementing act this autumn to clarify details in the new rules, including security measures and specifics on how breaches will be notified to authorities.

Boratyński said one of the most difficult parts of the fraught negotiations was getting member states to agree that cloud computing services are critical infrastructure, meaning security breaches on clouds will have to be reported to authorities.

“We have thousands of European companies that rely on clouds the way they rely on electricity and other essential services,” Boratyński said.

“It’s the new frontier of cybersecurity and we simply need to get it right,” he added.

Background

An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.

The European Commission shortly after proposed a directive with measures to ensure harmonised network and information security across the EU.

Member states and the European Parliament agreed on the directive in December 2015, which will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”

The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.

All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.

Timeline

autumn 2016: European Commission to propose implementing act in NIS directive, including new security measures and details of how security breach information is notified to authorities

Comments

Leave a Reply

It is growing but I think there is the real need of an united Cyber-security with a real cyber-security E.U. department where information gets data-stored whilst member-states can access those data in a centralized manner !

0

| Hide Replies ∧

Joe Thorpe

26/04/2016 19:09

It’s the same old story. EU countries that spend nothing on their security & defense will demand that the UK & France do their work for them & freely hand over any intelligence they go out & find. Why would you show your hand to your enemies? Security & Defense is the first job of any government & showing your capabilities to people you don’t trust to keep your data safe & secure will threaten the ability of in our case Mi6, Mi5, GCHQ & the DoD to keep us safe. Take a for instance, say we said you should… Read more »

0

| Hide Replies ∧

an european

27/04/2016 01:07

“spend nothing on their security & defense” Clear that’s why free movements of persons requires free movements of secret data flow and this for security matter ! E.U. Sharing capabilities , Investigations , homeland security !!! But I won’t nor you are going to change soon things which are Top Secret ! Trust or not trust M0 or MX1 but you better have to because you as everyone else is concerned on these times on hidden terrorists Undergrounds threaten England Europe America and the whole western civilization ! There is no excuse today if a nuclear Power-station if being nuked… Read more »